Help me stop module32.exe pest

Discussion in 'malware problems & news' started by adspace, Mar 24, 2004.

Thread Status:
Not open for further replies.
  1. adspace

    adspace Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    13
    :( I keep receiving the "module32.exe" virus, spyware, trojan or what ever this thing is. I have become quite familure with it and how to get rid of it and remove it. The only problem is that I need to find a way to stop it from even entering my system in the first place. I guess my question (as a newbee to the form) is how can I use This SPYWARE BLASTER to stop the entry of this "thing".......Thanks in advance for any Help
     
  2. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey adspace

    You may have partnered malicious code on your system that keeps restoring itself as you delete, have you tried scanning using properly configured/updated Anti-Virus Systems AND Anti-Trojan Systems AND Anti-Spyware Systems?
     
  3. adspace

    adspace Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    13
    Yes, I run about 10 autosurf programs and there is one site that has this embeded code or something. I can completely remove the "module32.exe" and it is completely gone ...the problem is after a few hours of running the auto-surf programs it comes back and the fire wall stops its exicution. How can SPYWARE BLASTER help me to stop another attack of this bug....Note the module32.exe goes straight to the msconfig start-up and resides in a folder always named "rfv"...since we know what this bug does how can it be stopped?
     
  4. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Its shame you don’t have the site, I’d go see if I can reproduce the problem.
    Do you see its connection info? Do you see what the destination IP/ports are?
     
  5. adspace

    adspace Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    13
    Oh, one other thing Mcaffe, Norton and Trend Micro do not even detect this thing neither do Trojan detectors programs.... also if any one does get this bug I can tell them how to remove it completely....the only problem is that since as of yet I have found no Windows Patches Bug Patches etc it can always come back (not because its coded some place on your hard drive but because it is a very sneeky bug)
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    adspace,

    In fact they do. What antitrojan software is running on your system?

    TDS3 as well as BOClean will cope with this nastie in the meanwhile for example. Here are some specs:

    -It steals cached passwords on Win9x, and uses Protected Storage PassView to get autocomplete
    and other stored passwords from NT or higher systems.

    - Stores stolen information in:

    %windir%\rfv\htm.txt
    %windir%\rfv\req.txt

    - Logged keystrokes into %windir%\rfv\kbd.txt

    - Hides itself from process viewers by injecting library32.dll into all processes.

    I do recommend grabbing a trial version from TDS3, update the radius (database) mannualy, and perform a full system scan.

    regards.

    paul
     
  7. adspace

    adspace Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    13
    :(no doubt....but I think everyone is missing the BIG Question.....that is, lets not wait till a system gets infected lets STOP it from gaining access in the first place. As for me I have Re-Formatted 6 times on my other system...thinking originally it was a undetected *boink* in my hard drive. Next I stuck a back up computer box from the garage in line and after auto-surfing about two hours this system got hit also...thats when I started looking into the module32.exe as the problem. Learning how to clean it out completely. I spent several hours trying different security setting in IE 6 SP1 but again the little bug made it back. I even eliminated all unecessayTCP IP Binding using only TCP IP as my only connection. I also removed any other program that uses internet FTP, Out Look Express etc......If we know what its called and know where it goes and what files it creates why cant we add some sort of flag or something in Spy Ware Blaster to stop this thing from gaining access.
     
  8. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Those Anti-Trojan Systems Paul Wilders mentioned provides powerful Real-Time Memory Scanning systems
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Did you say you get it from visiting special sites or where does it come from? If you know the site, is it possible to put that in your restricted zone?
    And restricted for me means highest security settings where nothing is allowed, also in your firewall put extra security on that?
    Using the spywareblaster and other tools JavaCool created certainly add an extra layer in protection from nasties to enter your system.
    Of course you keep your windows updated by the day.
    Maybe if you run too many surfblockers at a time they detect each other in stead of one or two doing their job properly?

    With the tools recommended above detect and remove the nasty again, not sure if you run XP or ME in which case after cleaning you should disable system restore, reboot, enable system restore again and make manually a new restore point for the clean situation.

    Further encrypt your sensitive and personal data for instance with CryptoSuite which does its work really well and even has an encrypted chat included to keep in contact with the people you want to be in Fortress Adspace.

    And of course with the scanners do scan on a frequent scheme to be sure to keep it clean and if it would enter you should be able to know from where it came and take all measures, including system restore if necessary.

    In the meantime i hope you did change passwords and other sensitive things, creditcard numbers, etc.

    Good luck!
     
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Preventing infection has been addressed: either use TDS3 with execprot enabled resident running, or go for BOClean, that will prevent infection as well.

    I've provided a short explanation above. In adittion to that:

    "hxtps://my.screenname.aol.com/_cqr/login/login.psp" is the SSL login to AOL, so that was the URL that it would have "dialed into" using SSL and then actually logging in as a user as it seems.

    note: for security reasons the disabled the provided link above - paul

    Finally: this one does belong in the antitrojan department first and foremost. SpywareBlaster seems not the software for coping with this IMO.

    regards.

    paul
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Does the nasty it belongs to have another name?
    Since you know now the site that can be blocked in the firewall and Port Explorer would show such illegal connections which you can block immediately completely once you would see them, but forst of all to avoid getting them on yuour system or activating at all!
    Suppose it was submitted to the developers in the meantime too? submit@diamondcs.com.au just incase it would be another variant of something.
     
  12. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Jooske,

    All been taken care off a while ago. No need to submit the file once more.

    regards.

    paul
     
  13. AquaDemon

    AquaDemon Registered Member

    Joined:
    Apr 12, 2004
    Posts:
    2
    if you want to prevent it getting into your system in the first place....USE OPERA OR MOZILLA FOR GOD SAKE!
    if you start lookin into TCP if it's a IE bug...you must be editted out - please withold from offending - paul
     
    Last edited by a moderator: Apr 13, 2004
  14. Jen4SFI

    Jen4SFI Guest

    I have recently downloaded the free trial of Tds-3. I also have spybot-S& D along with a paid version of Pest Patrol. After my new install of TDS-3 (tonight)... upon opening the file to run it I receive an error message stating "TDS-3 has encountered a problem and has to shut down....blah blah" then it gives the ModAPP as "library32.dll". Of course, I realize this is a relation to the module32.exe. However, I have downloaded TDS-3 on a brand new PC, and SPybot S & D, and PP, anti-virus, ZAPRo, etc was installed prior to even pluggin it in. (only had it plugged in for 2 days). Plus I have System Suite as an anti-virus, etc and Zone Alarm Pro as my firewall. I'm looking to get Norton reinstalled as System Suite with it's "high" reviews..quite honestly sucks.

    I did a full system scan looking for files as suggested for "library32", module32, .htm, etc...no files are being located even when I include "check hidden files" on my system search.

    Even further, my pest patrol can run by doing a scan but I get an error message with '""ppmemcheck" has experienced a problem and has to shut down' same MODAPP "library32".

    In addition, I have done a windows update, am using Mozilla browser now, and I'm still at a loss. Brand new PC folks..all applications were clean installed. The only transfers of files were Microsoft Word documents and Music files (mostly obtained by loading my own CD's...not peer to peer groups). Some files transfered were simply php files that I run for my businesses.

    So my question is...on a new PC...how come with both Pest Patrol, System Suite, Spybot S & D, and TDS-3... I can't even get full use of them due to this "Modapp library32" when my system doesn't find it even in hidden files?

    How can I get TDS-3 or other anti-trojan programs to run if this stupid "library32.dll" prevents me too?

    Please help...thanks.

    Jennifer
     
  15. uni1

    uni1 Guest

    I have a horrible feeling module32.exe is embedded in Pest patrol.
    I did not have this problem until I downloaded Pest Patrol 3 days ago.
    I just got rid of the bug and then made sure Pest patrol was completely off my system.
    Not had a problem since ( touch wood).
    I really hope I am wrong on this but the coincidences keep stacking up.
     
  16. yukon98

    yukon98 Registered Member

    Joined:
    Dec 8, 2003
    Posts:
    11
    Location:
    UK
    To remove Module32 manually.

    Start your computer in safe mode.
    Start Windows Explorer and delete:
    %WinDir%\RFV\

    C:\Windows (Windows 95/98/Me/XP) or
    C:\WINNT (Windows NT/2000).
     
  17. muckto

    muckto Registered Member

    Joined:
    May 31, 2004
    Posts:
    1
    Yukon, not sure if this would help because module32.exe can be stored under different folders' name...I was infected myself Adspace and it took me a while to locate the beast but one protection payware did identify and quarantine it in 5 minutes, its called Security Task Manager and its there:
    http://www.neuber.com/taskmanager/

    Hope it helps you and others...

    Best,
    Jack Muckto
     
  18. DarkManX

    DarkManX Guest

    I also had the module32.exe on my system trying to connect with internet. And I also think it has to do with PestPatrol. I've installed the trial version a few days ago and today morning (1.19am) the module tried to connect to these adresses: 62.109.123.253:1493 and 213.191.74.19:53
    At 1.46am it tried to connect to this ip: 213.191.74.19:53
    I blocked it and removed pestpatrol. I couldn't find the module32.exe in the windows task manager but I found it with the programm AIDA32 when locking in running processes. The module32 was in C:/windows/tgbcde but it was only visible in save mode when loggin in as Admin. Seems like it only had admin rights.
    I'm still looking for the rfv file for deleting it.

    Hope I could help you.
     
  19. Whipnet

    Whipnet Guest

    I got this on one of my machines as well.
    What a Pain.
    I have never used Pest Control. (o_O)
    I have no rfv directory.
    Spybot and Ad-Aware seem to not see it.
    Module32.exe shows up as service, but I can not find that exe anywhere on the harddrive.
    Arggg...
     
  20. DarkManX

    DarkManX Guest

    Hi!

    The exe file can only be seen in safe mode. You have to log in as admin. Then you will find it in the directory I've written in my tread above.
    I also can't find the rfv files. Maybe they are only created if module32 once accessed to the internet.
     
  21. LindaGig

    LindaGig Guest

    i too have had module32.exe problems. i'm not a techie so pls. bear w/me ... it is now solved. evidentally the pwsteal.trojan was responsible. when i booted up norton av would alert me that this trojan was detected and was found in c:\windows\tgbcde\library32.dll then i would get the windows module 32.exe message. we ran msconfig, startup and unchecked the module 32 box and all is well w/the world. hope this helps someone else out there.
     
Loading...
Thread Status:
Not open for further replies.